Computer System and Access Right Setting Method

ABSTRACT

IC cards (R 11 , R 12 , and R 21 ) are issued respectively to users α, β, and γ. An identification code (ID( 11 )) of a computer ( 11 ) supplied to user α and environment information (ENV( 11 )) that indicates a normal network environment of the computer ( 11 ) are recorded in the IC card (R 11 ) issued to user α. When in order to use a computer, a user connects his/her IC card, the identification code and the network environment of the computer to be used are compared with the identification code and environment information recorded in the IC card and different access rights are provided in accordance to the degree of matching. The identification code may be a MAC address of a LAN circuit incorporated in the computer, and the environment information may be a default gateway address or the like. Different access rights can thus be set according to the computer or the network environment that is used.

TECHNICAL FIELD

This invention concerns a computer system and an access right settingmethod and particularly concerns an art for ensuring security inaccessing to server computers from client computers via a network.

BACKGROUND ART

Presently, computers are generally used while being connected to eachother via networks, and networks that incorporate hubs, LAN switches,routers, etc., have come to be constructed not only in companies butalso in general households. Also generally in a company, a dedicatednetwork, such as an intra-company LAN or WAN is constructed and servercomputers with various functions that suit the forms of business ofrespective departments are used upon being connected to this network.Individual employees connect personal computers or other clientcomputers to the network and perform work while carrying outtransactions of data with the server computers.

Security management is extremely important in operating a computersystem using such a network. That is, not only must the respectivecomputers connected to the network be protected against unauthorizedaccess by external hackers but also operation, of a form wherein evenemployees belonging to the same company are respectively subject tounique access restrictions that are in accordance to each employee'sdepartment and job responsibilities, is essential.

Various security management arts have thus been proposed for computersystems using networks. For example, Japanese Unexamined PatentPublication No. 2000-10930 and Japanese Unexamined Patent PublicationNo. 2003-122635 disclose arts for managing unique access rightsaccording to each individual user in a computer system wherein clientcomputers and server computers are connected via a network.

Conventional security management methods, including the arts disclosedin the aforementioned patent publications, are based on a basic conceptof setting predetermined access rights according to each individualuser. That is, in a generally implemented form of operation, each useris provided with a predetermined account (username) and a password,predetermined access rights are set for each individual account, andwhen a login procedure by a specific account is performed, the passwordis verified to confirm that the login procedure is legitimate and thenaccess within the access right range set for that account is enabled.

Although the basic policy of setting specific access rights according toeach individual user is extremely rational from a broad perspective,many recent situations, wherein the contents of business forms using acomputer system are becoming more and more complex, cannot necessarilybe accommodated just by such a basic policy. In particular, with acompany with a large number of employees, the existence of employees whowill perform an illicit act cannot be denied completely and it is thusdangerous to completely trust individual employees and provide the sameaccess right unconditionally under all circumstances.

An object of this invention is to provide a computer system that enablesdifferent access rights to be set for individual users according tocircumstances (according to the computers and network environment used).

DISCLOSURE OF INVENTION

(1) The first feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information recording media issued respectively to individualusers for use upon connection to the client computers; wherein

a unique identification code is recorded in each of the client computersso as to enable distinction from other client computers,

an identification code that corresponds to a specific identificationcode recorded in a specific client computer is recorded in each of theportable information recording media, and

each of the client computers comprises an interface means for connectinga portable information recording medium, an identification codecomparing means that compares an identification code recorded in acurrently connected portable information recording medium and anidentification code recorded in itself, an access right setting meansthat sets a predetermined access right based on a comparison result, anda server access means that performs access to the server computer withina range of the access right that has been set.

(2) The second feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information processing devices issued respectively toindividual users for use upon connection to the client computers;wherein

a unique identification code is recorded in each of the client computersso as to enable distinction from other client computers,

an identification code that corresponds to a specific identificationcode recorded in a specific client computer is recorded in each of theportable information processing devices,

each of the client computers comprises an interface means for connectinga portable information processing device, and a server access means thatperforms access to the server computer within a range of an access rightthat is transmitted from a currently connected portable informationprocessing device, and

each of the portable information processing devices comprises anidentification code comparing means that compares an identification coderecorded in a currently connected client computer and an identificationcode recorded in itself, an access right setting means that sets apredetermined access right based on a comparison result, and an accessright transmitting means that transmits, to the currently connectedclient computer, the access right that has been set.

(3) The third feature of the present invention resides in a computersystem according to the first or second feature, wherein

the access right setting means sets a first access right when thecomparison result indicates matching and sets a second access right,with more restrictions than the first access right, when the comparisonresult indicates mismatching.

(4) The fourth feature of the present invention resides in a computersystem according to the first to third features, wherein

a MAC address provided to a LAN communication circuit incorporated in aclient computer, unique data stored in a storage device of the clientcomputer, or information indicating an arrangement of applicationprograms stored in a storage device of the client computer is used as aunique identification code for identifying the client computer.

(5) The fifth feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information recording media issued respectively to individualusers for use upon connection to the client computers; wherein

environment information that indicates a specific network environmentthat is obtained when a client computer is connected to a specificlocation of the network is recorded in each of the portable informationrecording media, and

each of the client computers comprises an interface means for connectinga portable information recording medium, an environment comparing meansthat compares a network environment indicated by environment informationrecorded in a currently connected portable information recording mediumand a current network environment of itself, an access right settingmeans that sets a predetermined access right based on a comparisonresult, and a server access means that performs access to the servercomputer within a range of the access right that has been set.

(6) The sixth feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information processing devices issued respectively toindividual users for use upon connection to the client computers;wherein

environment information that indicates a specific network environmentthat is obtained when a client computer is connected to a specificlocation of the network is recorded in each of the portable informationprocessing devices,

each of the client computers comprises an interface means for connectinga portable information processing device, and a server access means thatperforms access to the server computer within a range of an access rightthat is transmitted from a currently connected portable informationprocessing device, and

each of the portable information processing devices comprises anenvironment comparing means that compares a network environment of acurrently connected client computer and a network environment indicatedby environment information recorded in itself, an access right settingmeans that sets a predetermined access right based on a comparisonresult, and an access right transmitting means that transmits, to thecurrently connected client computer, the access right that has been set.

(7) The seventh feature of the present invention resides in a computersystem according to the fifth or sixth feature, wherein

the access right setting means sets a first access right when thecomparison result indicates matching and sets a second access right,with more restrictions than the first access right, when the comparisonresult indicates mismatching.

(8) The eighth feature of the present invention resides in a computersystem according to the fifth to seventh features, wherein

an IP address provided to a client computer, a default gateway addressset for the client computer, a proxy server address set for the clientcomputer, or a domain name which can be referred by a DNS server used bythe client computer is used as environment information that indicates anetwork environment of the client computer.

(9) The ninth feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information recording media issued respectively to individualusers for use upon connection to the client computers; wherein

a unique identification code is recorded in each of the client computersso as to enable distinction from other client computers,

an identification code that corresponds to a specific identificationcode recorded in a specific client computer and environment informationthat indicates a specific network environment that is obtained when aclient computer is connected to a specific location of the network arerecorded in each of the portable information recording media, and

each of the client computers comprises an interface means for connectinga portable information recording medium, an identification codecomparing means that compares an identification code recorded in acurrently connected portable information recording medium and anidentification code recorded in itself, an environment comparing meansthat compares a network environment indicated by environment informationrecorded in a currently connected portable information recording mediumand a current network environment of itself, an access right settingmeans that sets a predetermined access right based on comparisonresults, and a server access means that performs access to the servercomputer within a range of the access right that has been set.

(10) The tenth feature of the present invention resides in a computersystem comprising: a network; a server computer connected to thenetwork; a plurality of client computers connectable to the network; andportable information processing devices issued respectively toindividual users for use upon connection to the client computers;wherein

a unique identification code is recorded in each of the client computersso as to enable distinction from other client computers,

an identification code that corresponds to a specific identificationcode recorded in a specific client computer and environment informationthat indicates a specific network environment that is obtained when aclient computer is connected to a specific location of the network arerecorded in each of the portable information processing devices,

each of the client computers comprises an interface means for connectinga portable information processing device, and a server access means thatperforms access to the server computer within a range of an access rightthat is transmitted from a currently connected portable informationprocessing device, and

each of the portable information processing devices comprises anidentification code comparing means that compares an identification coderecorded in a currently connected client computer and an identificationcode recorded in itself, an environment comparing means that compares anetwork environment of the currently connected client computer and anetwork environment indicated by environment information recorded initself, an access right setting means that sets a predetermined accessright based on comparison results, and an access right transmittingmeans that transmits, to the currently connected client computer, theaccess right that has been set.

(11) The eleventh feature of the present invention resides in a computersystem according to the ninth or tenth feature, wherein

the access right setting means sets a first access right when the resultof comparison by the identification code comparing means indicatesmatching, sets a second access right, with more restrictions than thefirst access right, when the result of comparison by the identificationcode comparing means indicates mismatching but the result of comparisonby the environment comparing means indicates matching, and sets a thirdaccess right, with even more restrictions than the second access right,when neither of the comparison results indicates matching.

(12) The twelfth feature of the present invention resides in a computersystem according to the ninth or tenth feature, wherein

the access right setting means sets a first access right when both theresult of comparison by the identification code comparing means and theresult of comparison by the environment comparing means indicatematching, sets a second access right, with more restrictions than thefirst access right, when the result of comparison by the identificationcode comparing means indicates matching but the result of comparison bythe environment comparing means indicates mismatching, and sets a thirdaccess right, with even more restrictions than the second access right,when neither of the comparison results indicates matching.

(13) The thirteenth feature of the present invention resides in anaccess right setting method for a computer system comprising: a network;a server computer connected to the network; and a plurality of clientcomputers connectable to the network; the method setting an access rightwhen each individual, user uses a client computer to access the servercomputer and comprising:

a preparation step, wherein a portable information processing device, tobe used by connecting to a client computer, is issued to each individualuser, and an identification code, corresponding to a uniqueidentification code that is recorded in a specific client computer andenables distinction of the specific client computer from other clientcomputers, is recorded in the portable information processing device;and

an access right setting step, wherein when a user connects apredetermined portable information processing device, issued tohim/herself, to a predetermined client computer and performs a loginprocedure on the predetermined client computer, the predetermined clientcomputer or the predetermined portable information processing device ismade to compare an identification code recorded in the predeterminedclient computer with an identification code recorded in thepredetermined portable information processing device and set apredetermined access right based on a comparison result;

wherein when in the access right setting step, the comparison resultindicates mismatching, an access right with more restrictions than whenthe comparison result indicates matching is set.

(14) The fourteenth feature of the present invention resides in anaccess right setting method for a computer system comprising: a network;a server computer connected to the network; and a plurality of clientcomputers connectable to the network; the method setting an access rightwhen each individual user uses a client computer to access the servercomputer and comprising:

a preparation step, wherein a portable information processing device, tobe used by connecting to a client computer, is issued to each individualuser, and environment information that indicates a specific networkenvironment that is obtained when a client computer is connected to aspecific location of the network is recorded in the portable informationprocessing device; and

an access right setting step, wherein when a user connects apredetermined portable information processing device, issued tohim/herself, to a predetermined client computer and performs a loginprocedure on the predetermined client computer, the predetermined clientcomputer or the predetermined portable information processing device ismade to compare a current network environment of the predeterminedclient computer with a network environment indicated by environmentinformation recorded in the predetermined portable informationprocessing device and set a predetermined access right based on acomparison result;

wherein when in the access right setting step, the comparison resultindicates mismatching, an access right with more restrictions than whenthe comparison result indicates matching is set.

(15) The fifteenth feature of the present invention resides in an accessright setting method for a computer system comprising: a network; aserver computer connected to the network; and a plurality of clientcomputers connectable to the network; the method setting an access rightwhen each individual user uses a client computer to access the servercomputer and comprising:

a preparation step, wherein a portable information processing device, tobe used by connecting to a client computer, is issued to each individualuser, and an identification code, corresponding to a uniqueidentification code that is recorded in a specific client computer andenables distinction of the specific client computer from other clientcomputers, and environment information that indicates a specific networkenvironment that is obtained when a client computer is connected to aspecific location of the network are recorded in the portableinformation processing device; and

an access right setting step, wherein when a user connects apredetermined portable information processing device, issued tohim/herself, to a predetermined client computer and performs a loginprocedure on the predetermined client computer, the predetermined clientcomputer or the predetermined portable information processing device ismade to compare an identification code recorded in the predeterminedclient computer with an identification code recorded in thepredetermined portable information processing device, compare a currentnetwork environment of the predetermined client computer with a networkenvironment indicated by environment information recorded in thepredetermined portable information processing device, and set apredetermined access right based on comparison results;

wherein in the access right setting step, if an identification codecomparison result indicates matching, a first access right is set, ifthe identification code comparison result indicates mismatching but anetwork environment comparison result indicates matching, a secondaccess right, with more restrictions than the first access right, isset, and if neither of the comparison results indicate matching, a thirdaccess right, with even more restrictions than the second access right,is set.

(16) The sixteenth feature of the present invention resides in an accessright setting method for a computer system comprising: a network; aserver computer connected to the network; and a plurality of clientcomputers connectable to the network; the method setting an access rightwhen each individual user uses a client computer to access the servercomputer and comprising:

a preparation step, wherein a portable information processing device, tobe used by connecting to a client computer, is issued to each individualuser, and an identification code, corresponding to a uniqueidentification code that is recorded in a specific client computer andenables distinction of the specific client computer from other clientcomputers, and environment information that indicates a specific networkenvironment that is obtained when a client computer is connected to aspecific location of the network are recorded in the portableinformation processing device; and

an access right setting step, wherein when a user connects apredetermined portable information processing device, issued tohim/herself, to a predetermined client computer and performs a loginprocedure on the predetermined client computer, the predetermined clientcomputer or the predetermined portable information processing device ismade to compare an identification code recorded in the predeterminedclient computer with an identification code recorded in thepredetermined portable information processing device, compare a currentnetwork environment of the predetermined client computer with a networkenvironment indicated by environment information recorded in thepredetermined portable information processing device, and set apredetermined access right based on comparison results;

wherein in the access right setting step, if both an identification codecomparison result and a network environment comparison result indicatematching, a first access right is set, if the identification codecomparison result indicates matching but the network environmentcomparison result indicates mismatching, a second access right, withmore restrictions than the first access right, is set, and if neither ofthe comparison results indicate matching, a third access right, witheven more restrictions than the second access right, is set.

(17) The seventeenth feature of the present invention resides in aprogram for making a computer function as a client computer in thecomputer system according to the first to twelfth features, or acomputer-readable recording medium recording the program.

With this invention's computer system, since access rights can be set byrecognizing that a client computer that a user is using is a specificclient computer that has been prepared for that user or is in a specificnetwork environment prepared for that user, different access rights canbe set for individual users according to circumstances.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of a general computer system that is arrangedby connecting server computers and client computers to a network;

FIG. 2 is a block diagram for describing a first embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1;

FIG. 3 is a block diagram of the arrangement of a client computer forimplementing the first embodiment shown in FIG. 2;

FIG. 4 is a block diagram of the arrangement of a modification exampleof the first embodiment shown in FIG. 2, wherein a comparison processand an access right setting process are executed at a portableinformation processing device;

FIG. 5 is a block diagram for describing a second embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1;

FIG. 6 is a block diagram of the arrangement of a client computer forimplementing the second embodiment shown in FIG. 5;

FIG. 7 is a block diagram of the arrangement of a modification exampleof the second embodiment shown in FIG. 5, wherein a comparison processand an access right setting process are executed at a portableinformation processing device;

FIG. 8 is a block diagram for describing a third embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1;

FIG. 9 is a block diagram of the arrangement of a client computer forimplementing the third embodiment shown in FIG. 8;

FIG. 10 is a block diagram of the arrangement of a modification exampleof the third embodiment shown in FIG. 8, wherein comparison processesand an access right setting process are executed at a portableinformation processing device;

FIG. 11 is a flowchart of an example of the access right setting methodof the third embodiment of this invention; and

FIG. 12 is a flowchart of another example of the access right settingmethod of the third embodiment of this invention.

BEST MODE FOR CARRYING OUT THE INVENTION

This invention is described based on the illustrated embodiments.

Section 0. Background for Adopting this Invention

First, the background for adopting this invention will be described withreference to the example shown in FIG. 1. FIG. 1 is a block diagram of acomputer system model arranged by connecting two server computers 110and 120 and eight client computers 11, 12, 13, 14, 21, 22, 23, and 31 toa network 100. Although a larger number of server computers and a largernumber of client computers are normally used in a computer system thatis used in a general company, the illustrated simplified model shall bedescribed here for the sake of convenience.

Network 100 is normally arranged from a plurality of routers and variouswirings that connect the routers. Although there are generally variousnetwork forms, such as LAN, WAN, Internet, etc., network 100 mayarranged from any of such forms. Also, although in the figure, network100 and respective client computers are connected by lines, these do notnecessarily have to be wire-connected and a wireless LAN may be usedinstead.

Here, for the sake of description, it shall be deemed that this computersystem is used in a single company, that client computers 11, 12, 13,and 14 are installed in a personnel department 10 of the company, thatclient computers 21, 22, and 23 are installed in a lounge 20 of thiscompany, and that client computer 31 is installed in a room of a companydormitory 30 of this company. Furthermore, one employee belonging to thepersonnel department shall be referred to user a and it shall be deemedthat client computer 11 is installed on a desk of user a insidepersonnel department 10. That is, client computer 11 is supplied to usera from the company and user α performs daily business by operatingclient computer 11 while sitting at his/her own desk.

Meanwhile, various data for the business of this company are accumulatedin server computers 110 and 120 and each individual employee accessesserver computers 110 and 120 from a client computer as necessary toperform such processes as reading, writing, and modifying necessarydata. Here, for the sake of description, it shall be deemed that generalbusiness data, the access to which should be permitted to all employees,are stored in server computer 110 and that exclusive business data ofhigh confidentiality, which should be accessed only by employeesbelonging to specific departments, are stored in server computer 120.

Security management is obviously important in operating such a computersystem. With the general, conventional security management method, theform of operation, wherein unique access rights are set for eachindividual employee in accordance to the employee's department and jobresponsibility, is implemented. In the case of the above example, anaccess right enabling the reading of general business data in servercomputer 110 and an access right enabling the reading and writing ofpersonnel-department-exclusive business data in server computer 120 areset for user α, who is a staff member of the personnel department.

In carrying out such access right management according to user, the formof operation, wherein each individual user is provided with apredetermined account (username) and a password, predetermined accessrights are set for each individual account, and when a login procedureis performed by a specific account, the password is verified to confirmthat the login procedure is legitimate and then access within the accessright range set for that account is enabled, is normally implemented.With the above example, when user α, who is a personnel department staffmember, starts up client computer 11 that is installed on his/her deskand begins a procedure for starting use, user α is requested to performan operation of inputting a predetermined account and a predeterminedpassword. After the account and the password that have been input hereare certified as being legitimate, user α is enabled to access servercomputers 110 and 120 within the range of the access right set for userα in advance.

General security management methods that have been implementedconventionally are based on the basic policy of setting a specificaccess right according to each individual user as in the above-describedexample. Obviously, on the premise that each individual employee (user)will carry out work honestly at all times, security management based onsuch a basic policy is extremely rational. However, with a company witha large number of employees, security management must be implemented inconsideration of the possibility of illicit activities by employees aswell.

For example, suppose there is an unwritten rule among the personneldepartment staff that “the pay slips of individual employees must not beshown to people of other departments.” With the above example, sinceuser α, who is a personnel department staff member, is given the rightto access personnel-department-exclusive business data in servercomputer 120, user α can make the pay slips of individual employees bedisplayed on the screen of client computer 11 on his/her own desk andbrowse the data. Under these circumstances, the possibility ofperforming an act that will violate the above-mentioned unwritten rulewill be low. In the least, since, in the room in which client computer11 is installed, other staff of the personnel department will be workingand there will be supervision by a superior, it is unlikely for one toventure to perform an act of calling a friend of another department tohis/her own desk and allow the friend to browse pay slips displayed onclient computer 11.

However, it can be understood that the situation will change in a casewhere user α is taking a break with friends in lounge 20. If user α isprovided the access right of user α as they are even when he/she logs inusing client computer 21 installed in lounge 20, it becomes possible todisplay the pay slips of individual employees even on the screen ofclient computer 21 installed in lounge 20. Since supervision of asuperior will not extend to lounge 20, the possibility of one allowing afriend to browse pay slip information in violation of the rule will behigh. Furthermore, if user α is provided the access right of user α asthey are even when he/she returns to his/her own room in companydormitory 30 and logs in using client computer 31 that is installed inthe room, the possibility that the rule will be broken will become evenhigher.

Besides the above, there are innumerable cases where the possibility ofcommitting a rule violation increases depending on the installationenvironment of a client computer. For example, suppose there is anin-company rule that “personnel department staff must not store or printout personnel-department-exclusive business data in or onto an externalrecording medium without the permission of a personnel departmentmanager.” According to this in-company rule, a personnel departmentstaff member is enabled to access personnel-department-exclusivebusiness data in server computer 120 but is prohibited from storing thedata in a floppy disk or CD-R or printing out the data withoutpermission. The possibility that an act in violation of this rule willbe committed using any of client computers 11 to 14 disposed inpersonnel department 10 will thus be low. Since an act of storing in afloppy disk or an act of printing out can be noticed readily by asupervisor or other staff, one, out of guilt, would voluntarily refrainfrom committing a violation. However, circumstances will differ in casesof use of any of client computers 21 to 23 disposed in lounge 20 orclient computer 31 disposed in company dormitory 30.

Also with a department in which confidentiality is stressed, monitorcameras may be installed at the entrances and exits to the departmentand checks by security staff may be made mandatory in entering andexiting the department. With such a department, since even ifconfidential data are stored in a floppy disk or CD-R or are printedout, it is difficult to take the data outside the department, thepossibility that a rule violation will be committed will be low.However, if the same access right is provided even in the case of usingclient computer 31 installed in company dormitory 30, the significanceof security will be lost even if entrance and exit to and from thedepartment is controlled strictly.

Needless to say, normally as a method of resolving such a securityissue, a method of constructing a firewall is employed. With the exampleshown in FIG. 1, by incorporating a plurality of routers in network 100,constructing firewalls according to each individual area, andimplementing a form of operation, wherein when an access to servercomputer 120 is made via node N2 or N3, this access is rejected, theabove-mentioned illicit act can be prevented. However, complex settingsconcerning the network, such as setting up which type of firewall where,become necessary. This invention aims to resolve such security issues bythe different approach described below.

Section 1. First Embodiment of the Invention

FIG. 2 is a block diagram for describing a first embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1. Abasic concept of this first embodiment is a form of operation, wherein aprimary client computer is established for each individual user andwhereas access according to the primary access right set for the user isenabled when a user performs access using the primary client computer,only access according to an access right with more restrictions than theprimary access right set for the user is enabled when the user performsaccess using a client computer besides the primary client computer.

As an example, a case where three users α, β, and γ use this computersystem shall be considered. Here, it shall be deemed that users α and βare both personnel department staff, and user γ is a general affairsdepartment staff member, who manages the lounge. It shall also be deemedthat user α is supplied with computer 11 as the primary client computer,user β is supplied with computer 12 as the primary client computer, anduser γ is supplied with computer 21 as the primary client computer. Asshown in FIG. 1, client computers 11 and 12, supplied to users α and βare installed in the room of personnel department 10 and client computer21, supplied to user γ is installed in lounge 20.

In order to implement the security management in this invention'scomputer system, a portable information recording medium to be used forconnecting to client computers is issued to each individual user. Anexample, wherein portable information recording media R11, R12, and R13are issued to the three users α, β, and γ, respectively, is shown inFIG. 2. These portable information recording media R11, R12, and R21 maybe of any form as long as these are media that can be carried readily bythe respective users and have a function of recording data. However forpractical use, media enabling adequate security to be ensured forrecorded data are preferably used. Specifically, IC cards are usedoptimally as the portable information recording media. IC cards excel atportability and enable adequate security to be ensured for recordeddata.

The portable information recording media do not have to be media thatare exclusively for use in this invention and may be used in common withother applications. For example, companies that issue employee ID cardsthat make use of IC cards have been increasing recently, and in such acase, it is sufficient to use the employee ID cards as the portableinformation recording media. In the description that follows, it shallbe deemed that portable information recording media R11, R12, and R21,shown in FIG. 2, are employee ID cards arranged from IC cards that areissued to users α, β, and γ respectively.

In the first embodiment, an identification code of a specific clientcomputer is recorded in each of portable information recording mediaR11, R12, and R13. Here, the specific client computer is the primarycomputer to be used by the corresponding user. With the example shown inFIG. 2, an identification code ID(11) of client computer 11, which userα is to use primarily, is recorded in portable information recordingmedium R11 issued to user α (the IC card issued as the employee ID cardof user α). Likewise, an identification code ID(12) of client computer12, which user β is to use primarily, is recorded in portableinformation recording medium R12 issued to user β (the IC card issued asthe employee ID card of user β), and an identification code ID(21) ofclient computer 21, which user γ is to use primarily, is recorded inportable information recording medium R21 issued to user γ (the IC cardissued as the employee ID card of user γ).

As the identification code of a client computer, any code may be used aslong as it is an identification code that is recorded in some portioninside the client computer and is a unique identification code enablingthe client computer to be distinguished from other client computers.

For example, a MAC address (Media Access Control Address), provided to aLAN communication circuit incorporated in a client computer, may be usedas the identification code in this invention. Each client computer isequipped with a LAN communication circuit for connecting to network 100.Presently, LAN communication circuits for Ethernet that are used asstandard are provided with unique MAC addresses that are set by therespective makers. Moreover, this MAC address is recorded in an IC chipin the LAN communication circuit and can be read using a function of theOS of a client computer if necessary. Thus by using the MAC address asthe identification code, all client computers can be distinguished fromeach other. In this case, the MAC address of the LAN communicationcircuit incorporated in client computer 11 is recorded as identificationcode ID(11) in portable information recording medium R11, which isissued as the employee ID card of user α.

Needless to say, the code that can be used as the identification code inthis invention is not restricted to the MAC address and any code may beused as the identification code in the same manner as the MAC address aslong as it is unique data stored in a storage device of a clientcomputer. For example, if each individual client computer is providedwith a unique serial number and if this serial number is recorded insome form inside each client computer, this serial number may be used asthe identification code. Or, a unique serial number may be writtenintentionally into a specific area of a hard disk of each clientcomputer and used as the identification code.

Information indicating the arrangement of application programs stored inthe storage device of each client computer may also be used as theunique identification code for identifying the client computer.Normally, each client computer has predetermined application programsinstalled therein according to business, and the fact that specificapplication programs are installed may be used as the identificationcode. Actually, since in many cases there are a plurality of computershaving the same types of application programs installed, in such a case,serial numbers that are input in installing the application programs maybe used as information indicating the arrangement of the applicationprograms and thus as the identification code. That is, in many caseswith a general application program, the input of a predetermined serialnumber is required in the installation process and the serial numberthat is input is recorded in the hard disk device, etc. Individualclient computers can thus be distinguished from each other using theapplication program serial numbers as the identification code.

When the preparation step of recording the identification code of aspecific computer in each of portable information recording media R11,R12, and R21 issued to users α, β, and γ, respectively is completed asshown in FIG. 2, operation of this computer system can be started. Withthis computer system, when a user uses the client computer supplied tothe user, the user is required to perform a task of connecting the ICcard issued as the employee ID card, that is, the portable informationrecording medium to the client computer. For example, in using clientcomputer 11 on his/her own desk, user α must connect portableinformation recording medium R11, which is the IC card that has beenissued as the employee ID card, to client computer 11 and perform apredetermined usage starting procedure (a procedure that is generallyreferred to as a login procedure or logon procedure). Thus in thepresent embodiment, each client computer has a reader/writer device forIC cards.

The basic principle of security management in this embodiment's computersystem lies in the point that when a user connects a predeterminedportable information recording medium, issued to the user him/herself,to a predetermined client computer and performs the login procedure onthe predetermined client computer, the identification code recorded inthe predetermined client computer is compared with the identificationcode recorded in the predetermined portable information recording mediumand a predetermined access right is set based on the comparison result.More specifically, when the comparison result indicates mismatching, anaccess right with more restrictions than in the case where thecomparison result indicates matching are set.

With the example shown in FIG. 2, when user α connects portableinformation recording medium R11, which has been issued as user α's ownemployee ID card, to client computer 11, which is installed in personneldepartment 10 and is the computer that user α is to use primarily, andperforms the login procedure, a task of comparing identification codeID(11), recorded in client computer 11, with identification code ID(11),recorded in portable information recording medium R11, is performed.Access rights are then set based on the comparison result. With thisexample, since the comparison result indicates matching, the primaryaccess right set for user α are provided in response to the act ofaccess by user a using client computer 11. For example, user α isprovided the access right enabling the reading of general business datain server computer 110 and the access right of enabling the reading andwriting of personnel-department-exclusive business data in servercomputer 120.

The case where user α performs access using client computer 21,installed in lounge 20, shall now be considered. In this case, althoughuser α performs the login procedure upon connecting portable informationrecording medium R11 to client computer 21, since identification codeID(21), recorded in client computer 21, does not match identificationcode ID(11), recorded in portable information recording medium R11, anaccess right with more restrictions is set in comparison to the casewhere the comparison result indicates matching. For example, an accessright is provided that enable reading of general business data in servercomputer 110 but prohibit any access to personnel-department-exclusivebusiness data in server computer 120.

When such operation is carried out, although a user will be providedwith the primary access right when using a predetermined primary clientcomputer, the access right of the user will be restricted when the useruses a client computer other than the primary client computer. With theabove example, although user α is enabled to access the respectiveserver computers using the primary access right provided to personneldepartment staff as long as he/she works on client computer 11 that isinstalled in personnel department 10, when user α uses a client computerinstalled in lounge 20 or company dormitory 30, he/she cannot acquirehis/her primary access right. The security issues described in Section 0can thus be resolved.

In order to perform the identification code comparison process and theaccess right setting process according to the comparison result,corresponding components must be prepared inside a client computer. FIG.3 is a block diagram of the arrangement of client computer 11 forimplementing the first embodiment. As illustrated, client computer 11has a server access means 11A, an access right setting means 11B, anidentification code comparing means 11C, and an interface means 11D.Although obviously besides these, various components for realizingfunctions as a client computer (for example, a CPU, memory, hard disk,input/output device, etc., for executing an OS program and applicationprograms) are equipped, description thereof shall be omitted here.

As mentioned above, this client computer 11 has recorded therein theunique identification code ID(11) that enables it to be distinguishedfrom other client computers. If for example, the MAC address is to beused as identification code ID(11), since identification code ID(11)will then incorporated in client computer 11 from the beginning, a taskof writing an identification code into client computer 11 will beabsolutely unnecessary. Meanwhile, identification code ID(11) is alsorecorded in portable information recording medium R11, and for this, awriting task must be performed by a manager of the computer system.Although in the example shown here, portable information recordingmedium R11 is an IC card that is issued as the employee ID card of userα and thus numerous data besides identification code ID(11) are recordedtherein, description of these other data shall be omitted.

Here, interface means 11D is a component for connecting portableinformation recording medium R11 and, with the present example, isarranged from a reader/writer device for IC cards. In performing thelogin procedure on client computer 11, the user installs portableinformation recording medium R11, which is an IC card, in interfacemeans 11D, which is a reader/writer device, and can thereby put the twocomponents in a connected state. In ending use, the two components canbe separated from each other by drawing the IC card out of thereader/writer device.

Identification code comparing means 11C is a component having a functionof comparing the identification code recorded in the presently connectedportable information recording medium and the identification coderecorded in itself, and access right setting means 11B is a componenthaving a function of setting a predetermined access right based on thecomparison result. When the comparison result indicates matching, accessright setting means 11B sets a first access right and when thecomparison result indicates mismatching, access right setting means 11Bsets a second access right with more restrictions than the first accessright. Server access means 11A is a component that performs access toserver computers 110 and 120 within the range of the access right thathas been set.

In the case of the illustrated example, since user α uses portableinformation recording medium R11, which is his/her own employee ID card,to perform the login procedure on client computer 11, the result ofcomparison by identification code comparing means 11C will indicatematching. That is, since identification code comparing means 11Cperforms a process of comparing identification code ID(11) in portableinformation recording medium R11 that has been read via interface means11D and identification code ID(11) recorded in client computer 11, aresult indicating that the two are matched is obtained in this exampleand access right setting means 11B thus sets the first access right.

If the same login procedure is carried out on client computer 21installed in lounge 20, since identification code ID(11) in portableinformation recording medium R11 and identification code ID(21) recordedin client computer 21 are not matched, identification code comparingmeans 21C in client computer 21 will indicate a mismatching result andaccess right setting means 21B will set the second access right.

In the above example, a right enabling the reading of general businessdata in server computer 110 and enabling the reading and writing ofpersonnel-department-exclusive business data in server computer 120 isset as the first access right, and a right enabling the reading ofgeneral business data in server computer 110 but prohibiting any accessto data in server computer 120 is set as the second access right.

The setting of such specific contents of allowing/disallowing accessdoes not necessarily have to be carried out by the access right settingmeans in the client computer. Indeed for practical use, it is morepreferable for the access right setting means to just select betweeneither the first access right or the second access right and for thedetails of the allowing/disallowing of access to be set at the servercomputer side. For example, settings are made so that in regard to thepersonnel-department-exclusive business data in server computer 120,reading and writing are enabled if access is made by user α with thefirst access right and any access is rejected if access is made by userα with the second access right. In this case, the verification that theaccess is made by user α can be made by comparison of the account nameand the password provided to user α.

The identification code comparison process and the process of settingaccess right according to the comparison result do not necessarily haveto be carried out at the client computer side. That is, if the portableinformation recording medium has an information processing function,these processes may be carried out at the portable information recordingmedium side. Presently, IC cards that are used as employee ID cards havenot just the function of a simple information recording medium but arealso equipped with functions as an information processing device havinga CPU incorporated therein. By using such a portable informationrecording medium equipped with information processing functions(referred to hereinafter as a portable information processing device),the identification code comparison process and the access right settingprocess can be carried out at the portable information processing deviceside.

FIG. 4 is a block diagram of the arrangement of a modification exampleof the first embodiment, wherein the comparison process and the accessright setting process are executed at a portable information processingdevice. As illustrated, besides the point that the unique identificationcode ID(11) is recorded in client computer 11 and identification codeID(11), corresponding to the identification code recorded in clientcomputer 11, is recorded in a portable information processing deviceP11, the arrangement is exactly the same as that of the example shown inFIG. 3. However, although client computer 11 has server access means11A, which performs access to server computers within the range of anaccess right transmitted from the currently connected portableinformation processing device, and interface means 11D, for connectingthe portable information processing device, it is not equipped with anidentification code comparing means and an access right setting means.

Meanwhile, portable information processing device P11 is an IC card withinformation processing functions as mentioned above and, as illustrated,has an identification code comparing means 11E, an access right settingmeans 11F, and an access right transmitting means 11G. Identificationcode comparing means 11E is a component that compares the identificationcode recorded in the currently connected client computer and theidentification code recorded in itself, access right setting means 11Fis a component that sets a predetermined access right based on thecomparison result, and access right transmitting means 11G is acomponent that transmits the set access right to the currently connectedclient computer.

As illustrated, when user α uses portable information processing deviceP11 (IC card with information processing functions), which is user α'sown employee ID card, to perform the login procedure on client computer11, identification code comparing means 11E performs the process ofcomparing identification code ID(11) in client computer 11 that is readvia interface means 11D and identification code ID(11) recorded inportable information processing device P11. Since a result indicatingmatching of the two codes is obtained in this example, access rightsetting means 11F sets the first access right and the set access rightis transmitted via interface means 11D to server access means 11A. As aresult, server access means 11A performs access to the server computersbased on the first access right.

As a matter of course, when the same login procedure is carried out onclient computer 21 installed in lounge 20, since identification codeID(11) in portable information processing device P11 does not matchidentification code ID(21) recorded in client computer 21, a mismatchingcomparison result is obtained at identification code comparing means 11Eand access right setting means 11F sets the second access right. As aresult, server access means 11A performs access to the server computersbased on the second access right.

Section 2. Second Embodiment of this Invention

FIG. 5 is a block diagram for describing a second embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1. Abasic concept of this second embodiment is a form of operation, whereininstead of establishing a primary client computer, a primary networkenvironment is established for each individual user, and whereas accessaccording to the primary access right set for a user is enabled when auser performs access using a client computer connected with the primarynetwork environment, only access according to an access right with morerestrictions than the primary access right set for the user is enabledwhen the user performs access using a client computer connected with anetwork environment besides the primary network environment.

That is, whereas with the first embodiment described above, the accessright was set according to whether or not each user is accessing from aspecific client computer that has been established in advance, with thissecond embodiment, the access right is set according to whether or noteach user is accessing from a specific network environment that has beenestablished in advance. Here, “network environment” refers to theenvironment that is obtained when a client computer is connected to aspecific location of network 100, and with the example shown in FIG. 1,client computers 11 to 14, which perform access to server computers 110and 120 via node N1 of network 100, client computers 21 to 23, whichperform access to server computers 110 and 120 via node N2, and computer31, which performs access to server computers 110 and 120 via node N3,are the computer groups that differ in network environment.

The network environment strictly indicates the environment of connectionto network 100 and is not directly relevant to the individual clientcomputers. For example, if client computer 23, which is installed inlounge 20 as shown in FIG. 1, is disconnected from the LAN in lounge 20,moved to personnel department 10, and connected to the LAN in personneldepartment 10, the network environment will be changed even with thesame client computer 23. Oppositely, when client computer 11 installedin personnel department 10 malfunctions and is replaced a new clientcomputer 15 at the same installation location, although the clientcomputer itself is different, the network environment is not changed.

With the above-described first embodiment, when the MAC address uniqueto each individual client computer is used as the identification code,the identification code will change when the computer is replaced by anew unit. In this case, a task of newly rewriting the identificationcode recorded in the portable information recording medium is necessary.With the second embodiment described here, since the access right is setupon judging not the sameness of the client computer itself but thesameness of the network environment, as long as the sameness of thenetwork environment is secured, a task of rewriting the contentsrecorded in the portable information recording medium is not necessaryeven if a computer is replaced.

An example, wherein portable information recording media R11, R12, andR21 are issued to the three users α, β, and γ, respectively, based onthe second embodiment is shown in FIG. 5. As mentioned above, theseportable information recording media R11, R12, and R21 are employee IDcards arranged from IC cards that are issued to users α, β, and γrespectively.

In the second embodiment, environment information, indicating thespecific network environment that is obtained when a client computer isconnected to a specific location of network 100, is recorded in each ofinformation recording media R11, R12, and R13. The environmentinformation that is recorded here indicates the primary networkenvironment that each user is to use. With the example shown in FIG. 5,environment information ENV(11), which indicates the network environmentthat user α is to use primarily, is recorded in portable informationrecording medium R11 issued to user α (the IC card issued as theemployee ID card of user α). Specifically, environment informationENV(11) that indicates the network environment concerning clientcomputer 11 that user a uses at his/her desk is recorded as it is inportable information recording medium R11. Likewise, environmentinformation ENV(12) that indicates the network environment, which user βis to use primarily is recorded in portable information recording mediumR12 issued to user β (the IC card issued as the employee ID card of userβ), and environment information ENV(21) that indicates the networkenvironment, which user γ is to use primarily is recorded in portableinformation recording medium R21 issued to user γ (the IC card issued asthe employee ID card of user γ).

As the environment information that indicates the network environment,any information may be used as long as the information indicates thespecific network environment that is obtained when a client computer isconnected to a specific location of network 100. Some specific examplesof information that can be used as the environment information shall nowbe described.

For example, an IP address that is provided to a client computer can beused as the environment information. Normally, a predetermined IPaddress is automatically allocated using a DHCP (Dynamic HostConfiguration Protocol) to a computer that makes up a computer system ofa company. If a form of operation, wherein a predetermined address rangeis established for each network area, is implemented, the range of theallocated addresses will differ according to the location of connectionto network 100. With the example shown in FIG. 1, if routers aredisposed respectively at nodes N1, N2, and N3 of network 100 and IPaddresses belonging to a first address range are allocated to clientcomputers 11, 12, 13, and 14 of personnel department 10 that areconnected to node N1, IP addresses belonging to a second address rangeare allocated to client computers 21, 22, and 23 of lounge 20 that areconnected to node N2, and an IP address belonging to a third addressrange is allocated to client computer 31 of company dormitory 30 that isconnected to node N3, the network environment of a client computer canbe recognized by checking to which address range the IP address,currently allocated to that client computer, belongs.

For example, if the IP address allocated to a client computer belongs tothe first address range, it can be recognized that this client computeris a computer of personnel department 10 that is connected to node N1.In the case of IPv4, IP addresses are expressed by 32-bit numerals, andfor example, if IP addresses are determined under a rule such thatclient computers connected to the same node are provided with IPaddresses that are the same in the upper 24 bits and differ in just thelower 8 bits, the upper 24 bits of the IP address can be used as theyare as the environment information that indicates the networkenvironment. With the example shown in FIG. 1, since the upper 24 bitsof the respective IP addresses of client computers 11, 12, 13, and 14belonging to personnel department 10 will be the same, these can be usedas they are as the environment information.

A default gateway address that is set for a client computer can also beused as the environment information that indicates the networkenvironment. With the example shown in FIG. 1, if routers are installedfor nodes N1, N2, and N3, respectively, the default gateway address setfor each client computer will be the IP address of the router that isinstalled at the corresponding node. For example, for client computers11, 12, 13, and 14 of personnel department 10, the IP address of therouter installed at node N1 is set as the common default gatewayaddress. Meanwhile, for client computers 21, 22, and 23 of lounge 20,the IP address of the router installed at node N2 is set as the commondefault gateway address. These default gateway addresses can thus beused as they are as the environment information indicating the networkenvironments.

In the case where not routers but proxy servers are installed at nodesN1, N2, and N3, a proxy server address that is set for a client computermay be used as the environment information that indicates the networkenvironment. Whereas a common proxy server address will be set forclient computers 11, 12, 13, and 14 of personnel department 10, adifferent common proxy server address will be set for client computers21, 22, and 23 of lounge 20.

Besides the above, a domain name that can be referenced by a DNS serverthat is used by a client computer can also be used as the environmentinformation that indicates the network environment of the clientcomputer. A DNS server is a server computer with a conversion tablefunction for mutual conversion among domain names and IP addresses. Withthe example shown in FIG. 1, if the DNS server referenced by therespective client computers installed in personnel department 10 differsfrom the DNS server referenced by the respective client computersinstalled in lounge 20 and the contents of the conversion tables in therespective DNS servers differ, these differences can be used torecognize to which group of client computers referencing a certain DNSserver a client computer belongs.

For example, if a table that converts a domain name, “Melon,” to an IPaddress is prepared in the DNS server referenced by the respectiveclient computers installed in personnel department 10 and the table thatconverts the domain name, “Melon,” to an IP address is not prepared inthe DNS server referenced by the respective client computers installedin lounge 20, when an operation of searching for the domain name,“Melon,” is performed from a client computer and this domain name isfound, it can be recognized that this client computer is a clientcomputer that is installed in personnel department 10.

As described above, any of various information that indicate thespecific network environment that is obtained when a client computer isconnected to a specific location of network 100 can be used as theenvironment information in the second embodiment. Here, suppose that apreparation step of recording specific environment information in eachof portable information recording media R11, R12, and R21 issued tousers α, β, and γ, respectively as shown in FIG. 5 has been completed.For example, environment information ENV(11) that is recorded inportable information recording medium R11 is information that indicatesthe primary network environment that user a uses and may be the upper 24bits of the IP address provided to client computer 11, the IP address(default gateway address) of the router installed at node N1, or theaddress of the proxy server installed at node N1.

With the example shown in FIG. 5, the network environment of clientcomputer 11 and the network environment of client computer 12 are thesame, and environment information ENV(11) and environment informationENV(12) will be the same. However, since the network environment ofclient computer 21 is different, environment information ENV(21) willdiffer form the above.

The basic principle of security management in this embodiment's computersystem lies in the point that when a user connects a predeterminedportable information recording medium, issued to the user him/herself,to a predetermined client computer and performs the login procedure onthe predetermined client computer, the network environment of the clientcomputer at the present point is compared with the network environmentindicated by the environment information recorded in the predeterminedportable information recording medium and predetermined access rightsare set based on the comparison result. More specifically, when thecomparison result indicates mismatching, an access right with morerestrictions than in the case where the comparison result indicatesmatching is set. This point is the same as that of the first embodimentdescribed above.

With the example shown in FIG. 5, when user a connects portableinformation recording medium R11, which has been issued as user α's ownemployee ID card, to client computer 11 of personnel department 10 andperforms the login procedure, a task of comparing environmentinformation ENV(11) that indicates the network environment of clientcomputer 11 with environment information ENV(11) recorded in portableinformation recording medium R11 is performed. Access rights are thenset based on the comparison result. With this example, since thecomparison result indicates matching, the primary access right set foruser α is provided in response to user α's act of access using clientcomputer 11. For example, user α is provided the access right enablingthe reading of general business data in server computer 110 and theaccess right enabling the reading and writing ofpersonnel-department-exclusive business data in server computer 120.

With the example shown in FIG. 5, since the network environment ofclient computer 11 is the same as the network environment of clientcomputer 12, environment information ENV(11) will be the same asenvironment information ENV(12). User a will thus be provided with theexactly same access right as that of the above-described case whenhe/she uses client computer 12. Needless to say, the same access rightwill be provided even when client computer 11 is exchanged with a newclient computer 15 and this new client computer 15 is used. Thusoperation of a higher degree of freedom is enabled with the secondembodiment described here than with the above-described firstembodiment.

The circumstances change when user a performs access using clientcomputer 21, installed in lounge 20. In this case, although user αconnects portable information recording medium R11 to client computer 21and performs the login procedure, since environment information ENV(21)that indicates the network environment of client computer 21 does notmatch environment information ENV(11), recorded in portable informationrecording medium R11, an access right with more restrictions is set incomparison to the case where the comparison result indicates matching.For example, an access right is provided that enable reading of generalbusiness data in server computer 110 but prohibit any access topersonnel-department-exclusive business data in server computer 120.

When such an operation is carried out, although a user will be providedwith the primary access right as long as he/she performs access from apredetermined primary network environment, the access right of the userwill be restricted when he/she performs access from a networkenvironment besides the primary network environment. With the aboveexample, although user α, who is a personnel department staff member, isenabled to access the respective server computers with the primaryaccess right provided to personnel department staff as long as he/sheperforms access using any of client computers 11 to 14 that areinstalled in personnel department 10, when user a uses a client computerinstalled in lounge 20 or company dormitory 30, he/she cannot acquirehis/her primary access right. The security issues described in Section 0can thus be resolved.

Even with this second embodiment, in order to perform the environmentinformation comparison process and the access right setting processaccording to the comparison result, corresponding components must beprepared in a client computer. FIG. 6 is a block diagram of thearrangement of client computer 11 for implementing the secondembodiment. As illustrated, client computer 11 has server access means11A, access right setting means 11B, environment comparing means 11H,and interface means 11D. Although obviously besides these, variouscomponents for realizing functions as a client computer (for example, aCPU, memory, hard disk, input/output device, etc., for executing an OSprogram and application programs) are equipped, description thereofshall be omitted here.

Client computer 11 is connected to network 100 under a specific networkenvironment and this specific network environment can be indicated bythe predetermined environment information ENV(11). As described above,the IP address, default gateway address, proxy server address, etc., canbe used as environment information ENV(11).

As in the embodiment shown in FIG. 3, interface means 11D is thecomponent for connecting portable information recording medium R11 andis arranged from a reader/writer device for IC cards. In performing thelogin procedure on client computer 11, the user installs portableinformation recording medium R11, which is an IC card, in interfacemeans 11D, which is a reader/writer device, and can thereby put the twocomponents in a connected state. In ending use, the two components canbe separated from each other by drawing the IC card out of thereader/writer device.

Environment comparing means 11H is a component having a function ofcomparing the environment information, recorded in the presentlyconnected portable information recording medium, and the environmentinformation, indicating the current network environment of clientcomputer 11, and access right setting means 11B is the component havingthe function of setting a predetermined access right based on thecomparison result. When the comparison result indicates matching, accessright setting means 11B sets the first access right and when thecomparison result indicates mismatching, access right setting means 11Bsets the second access right with more restrictions than the firstaccess right. Server access means 11A is the component that performsaccess to server computers 110 and 120 within the range of the accessright that has been set.

With the example shown in FIG. 6, since user α uses portable informationrecording medium R11, which is his/her own employee ID card, to performthe login procedure on client computer 11, the result of comparison byenvironment comparing means 11H will indicate matching. That is, sinceenvironment comparing means 11H performs a process of comparingenvironment information ENV(11) in portable information recording mediumR11 that has been read via interface means 11D and environmentinformation ENV(11) that indicates the current network environment ofclient computer 11, a result indicating that the two are matched isobtained in this example and access right setting means 11B thus setsthe first access right.

If the same login procedure is carried out on client computer 21installed in lounge 20, since environment information ENV(11) inportable information recording medium R11 and environment informationENV(21) indicating the network environment of client computer 21 are notmatched, environment comparing means 21H in client computer 21 willindicate a mismatching result and access right setting means 21B willset the second access right. The difference between access under thefirst access right and access under the second access right is as hasbeen described in Section 1.

FIG. 7 is a block diagram of the arrangement of a modification exampleof the second embodiment shown in FIG. 2, wherein the comparison processand the access right setting process are executed at a portableinformation processing device. As illustrated, although client computer11 has server access means 11A, which performs access to servercomputers within the range of an access right transmitted from thecurrently connected portable information processing device, andinterface means 11D, for connecting the portable information processingdevice, it is not equipped with an environment comparing means and anaccess right setting means.

Meanwhile, portable information processing device P11 is an IC card withinformation processing functions and, as illustrated, has an environmentcomparing means 11I, access right setting means 11F, and access righttransmitting means 11G. Environment comparing means 11I is a componentthat compares the environment information indicating the networkenvironment of the currently connected client computer and theenvironment information recorded in itself, access right setting means11F is a component that sets a predetermined access right based on thecomparison result, and access right transmitting means 11G is acomponent that transmits the set access right to the currently connectedclient computer.

As illustrated, when user a uses portable information processing deviceP11 (IC card with information processing functions), which is user α'sown employee ID card, to perform the login procedure on client computer11, environment comparing means 11I performs the process of comparingenvironment information ENV(11), which indicates the network environmentof client computer 11 and is read via interface means 11D, andenvironment information ENV(11) recorded in portable informationprocessing device P11. Since a result indicating matching of the two isobtained in this example, access right setting means 11F sets the firstaccess right and the set access right is transmitted via interface means11D to server access means 11A. As a result, server access means 11Aperforms access to the server computers based on the first access right.

Obviously when the same login procedure is carried out on clientcomputer 21 installed in lounge 20, since environment informationENV(11) in portable information processing device P11 does not matchenvironment information ENV(21) that indicates the network environmentof client computer 21, a mismatching comparison result is obtained atenvironment comparing means 11I and access right setting means 11F setsthe second access right. As a result, server access means 21A performsaccess to the server computers based on the second access right.

Section 3. Third Embodiment of this Invention

A third embodiment, which shall now be described, corresponds to being acombination of the first embodiment described in Section 1 and thesecond embodiment described in Section 2. That is, the characteristic ofthe first embodiment is that for each individual user, a specific clientcomputer that the user is to use primarily is set and the access rightsetting is changed according to whether or not access is made from theprimary client computer, and the characteristic of the second embodimentis that for each individual user, a specific network environment thatthe user is to use primarily is set and the access right setting ischanged according to whether or not access is made from the primarynetwork environment. A characteristic of the third embodiment is thatfor each individual user, a specific client computer that the user is touse primarily and a specific network environment that the user is to useprimarily are set and the access right setting is changed inconsideration of whether or not access is made from the primary clientcomputer and whether or not access is made from the primary networkenvironment.

Thus in the third embodiment, a specific identification code and anenvironment information indicating a specific network environment arerecorded in a portable information recording medium that is issued toeach individual user. When a user performs a login procedure on a clientcomputer, a process of comparing the identification code recorded in theclient computer and the identification code recorded in a portableinformation recording medium and a process of comparing the currentnetwork environment of the client computer and the network environmentindicated by the environment information recorded in the portableinformation recording medium are carried out and predetermined accessrights are set based on the comparison results.

FIG. 8 is a block diagram for describing the third embodiment of thisinvention and shows a portion of the computer system shown in FIG. 1. Anexample, wherein portable information recording media R11, R12, and R21are issued to the three users α, β, and γ, respectively, is illustratedhere as well. In each of portable information recording media R11, R12,and R21 are recorded a predetermined identification code and apredetermined environment information. For example, identification codeID(11) of client computer 11, which user α is to use primarily, andenvironment information ENV(11), which indicates the network that user αis to use primarily, are recorded in portable information recordingmedium R11 issued to user α (the IC card issued as the employee ID cardof user α). Likewise, identification code ID(12) of client computer 12,which user β is to use primarily, and environment information ENV(12),which indicates the network environment, which user β is to useprimarily, are recorded in portable information recording medium R12issued to user β (the IC card issued as the employee ID card of user β),and identification code ID(21) of client computer 21, which user γ is touse primarily, and environment information ENV(21), which indicates thenetwork environment, which user γ is to use primarily, are recorded inportable information recording medium R21 issued to user γ (the IC cardissued as the employee ID card of user γ).

With the example shown in FIG. 8, when, for example, user α connectsportable information recording medium R11, which has been issued as userα's own employee ID card, to client computer 11 of personnel department10 and performs the login procedure, a task of comparing identificationcode ID(11) in client computer 11 and identification code ID(11)recorded in portable information recording medium R11 and a task ofcomparing environment information ENV(11), which indicates the networkenvironment of client computer 11, with environment information ENV(11),recorded in predetermined portable information recording medium R11, areperformed. Access rights are then set based on the comparison results.With this example, both of the two comparison results will indicatematching.

If instead of client computer 11, user α performs the login procedure onclient computer 12, a task of comparing identification code ID(12) inclient computer 12 and identification code ID(11) recorded in portableinformation recording medium R11 and a task of comparing environmentinformation ENV(12), which indicates the network environment of clientcomputer 12, with environment information ENV(11), recorded inpredetermined portable information recording medium R11, are performed.In this case, although the mismatching result, ID(11)≠ID(12), isobtained by the identification code comparison task, the matchingresult, ENV(11)=ENV(12), is obtained by the network environmentcomparison task.

Meanwhile, if user α performs access using client computer 21, installedin lounge 20, the mismatching result, ID(11)≠ID(21), is obtained in theidentification code comparison task and the mismatching result,ENV(11)≠ENV(21), is obtained in the network environment comparison taskas well. If user α performs access by moving client computer 11,installed in personnel department 10, to lounge 20 and connecting clientcomputer 11 to the LAN in lounge 20, although the matching result,ID(11)=ID(11), is obtained in the identification code comparison task,the mismatching result, ENV(11)≠ENV(12), is obtained in the networkenvironment comparison task.

Thus by combining the identification code comparison task and thenetwork environment comparison task, a total of four combinations ofcomparison results are obtained, thus enabling a variation of four typesof access right setting.

FIG. 9 is a block diagram of the arrangement of client computer 11 forimplementing the third embodiment that corresponds to being a synthesisof the arrangement of FIG. 3 and the arrangement of FIG. 6. Since thefunctions of the individual components are the same as those describedin Section 1 and Section 2, the description of the functions of therespective components shall be omitted here. As illustrated, bothidentification code ID(11) and environment information ENV(11) arerecorded in portable information recording medium R11. Also, bothidentification code comparing means 11C, which performs theidentification comparison task, and environment comparing means 11H,which performs the network environment comparison, are disposed atclient computer 11, and access right setting means 11B sets apredetermined access right based on the two comparison results.

FIG. 10 is a block diagram of the arrangement of a modification exampleof the third embodiment, wherein the comparison processes and the accessright setting process are executed at a portable information processingdevice. The arrangement of this block diagram corresponds to being asynthesis of the arrangement of FIG. 4 and the arrangement of FIG. 7.Since the functions of the individual components are the same as thosedescribed in Section 1 and Section 2 here as well, the description ofthe functions of the respective components shall be omitted. Asillustrated, portable information processing device P11 has bothidentification code ID(11) and environment information ENV(11) recordedtherein and is provided with both identification code comparing means11E, which performs the identification comparison task, and environmentcomparing means 11I, which performs the network environment comparison.Access right setting means 11F sets a predetermined access right basedon the two comparison results.

Although as mentioned above, with the third embodiment, by combining theidentification code comparison task and the network environmentcomparison task, a total of four combinations of comparison results areobtained to enabling a variation of four types of access right settings,in actuality, just three types of access right settings will suffice.Here, two practical access right setting algorithms that can be appliedto a computer system that is used by many companies shall be describedas examples.

A first algorithm is that of a method wherein, when the identificationcode comparison result indicates matching, the first access right is setregardless of the network environment comparison result, when theidentification code comparison result indicates mismatching but thenetwork environment comparison result indicates matching, the secondaccess right, with more restrictions than the first access right, isset, and when neither of the comparison results indicates matching, thethird access right, with even more restrictions than the second accessright is set. With this method, access right management that is in linewith the operation of an actual computer system is enabled.

FIG. 11 is a flowchart of the access right setting method based on sucha policy. First, when in step S1, a user performs the login procedure ona certain client computer, the identification code comparison task isperformed in step S2. If the identification codes are matched here,branching to step S6 via step S3 is performed and the first accessright, with a low amount of restrictions, is set. In this case, thenetwork environment comparison task does not have to be performed.Meanwhile, if the identification codes are mismatched, step S4 isentered via step S3 and the network environment comparison task isperformed. If the network environments are matched, branching to step S7is performed via step S5 and the second access right, with anintermediate amount of restrictions, is set. If even the networkenvironments are mismatched, branching to step S8 is performed via stepS5 and the third access right, with a high amount of restrictions, isset.

Thus when access right setting is performed based on the algorithm shownin FIG. 11, as long as the user uses the primary client computer thathas been supplied to him/her, the user is provided with the first accessright of the highest level (the access right that is to be provided tothe user primarily) regardless of which network environment the clientcomputer is used in. Meanwhile, if the user performs access using aclient computer besides the primary client computer, the user isprovided with the second access right of the intermediate level if theaccess is made from the primary network environment and is provided withthe third access right of the lowest level if the access is made from anetwork environment besides the primary network environment.

Meanwhile, a second algorithm is that of a method wherein, when both theresult of comparison by the identification code comparing means and theresult of comparison by the environment comparing means indicatematching, the first access right is set, when the result of comparisonby the identification code comparing means indicates matching but theresult of comparison by the environment comparing means indicatesmismatching, the second access right, with more restrictions than thefirst access right, is set, and when neither of the comparison resultsindicates matching, the third access right, with even more restrictionsthan the second access right is set. Access right management that is inline with the operation of an actual computer system is enabled withthis method as well.

FIG. 12 is a flowchart of the access right setting method based on sucha policy. First, when in step S1, a user performs a login procedure on acertain client computer, the identification code comparison task isperformed in step S2. If the identification codes are matched here,branching to step S4 via step S3 is performed and the networkenvironment comparison task is performed. If the network environmentsare also matched, branching to step S6 is performed via step S5 and thefirst access right, with a low amount of restrictions, is set. If thenetwork environments are mismatched, branching to step S7 is performedvia step S5 and the second access right, with an intermediate amount ofrestrictions, is set. If the identification codes are mismatched,branching to step S8 is performed from step S3 and the third accessright, with a high amount of restrictions, is set. In this case, thenetwork environment comparison task does not have to be performed.

Thus when access right setting is performed based on the algorithm shownin FIG. 12, as long as the user uses the primary client computer thathas been supplied to him/her in the primary network environment, he/sheis provided with the first access right of the highest level (the accessright that is to be provided to the user primarily). Meanwhile, if theuser performs access using the primary client computer that has beensupplied to him/her but from a network environment that differs from theprimary network environment, the user is provided with the second accessright of the intermediate level. If the user uses another clientcomputer that is not the primary client computer that has been suppliedto him/her, the user is provided with the access right of the lowestlevel regardless of the network environment.

Although examples of two types of access right setting algorithm thatcan be used with the third embodiment were described above, the accessright settings of this invention may obviously be arranged freely tosuit each individual computer system and are not restricted to theabove-described examples. For example, four types of access rightsettings may be made based on four types of comparison results.

Section 4. Some Modification Examples

Although this invention has been described above using three basicembodiments, this invention is not restricted to these embodiments andmay be put into practice in various other modes. Lastly, somemodification examples of carrying out this invention shall be described.

(1) Although a characteristic point of this invention is thatpredetermined access rights are set based on the identification codecomparison result or the network environment comparison result,obviously for practical use, combined use may be made with aconventionally practiced method of verifying a user by means of anaccount and a password and providing predetermined access rights thatare set according to user.

(2) Although with the above examples, cases where a singleidentification code or a single environment information is recorded inthe portable information recording medium were described, a plurality ofidentification codes or a plurality of network environments may berecorded and comparison may be performed for each of these. In thiscase, different access rights may be set according to whichidentification codes are matched or according to which networkenvironments are matched. For example, two identification codes ID(11-1)and ID(11-2) may be recorded in portable information recording mediumR11 issued to user α, and the first access right may be set whenmatching is achieved with identification code ID(11-1) and the secondaccess right may be set when matching is achieved with identificationcode ID(11-2).

(3) Although with the above-described examples, cases where characterstrings, each indicating a code or address, are matched completely weredescribed as examples of matching of identification codes or environmentinformation, comparison matching in this invention does not necessarilysignify cases where character strings, etc., are in complete one-to-onecorrespondence but signifies that client computer side information andportable information recording medium side information correspond insome form. For example, even if the client computer side information isA and the portable information recording medium side information is B,if these are in a relationship wherein information B is obtainedunambiguously by applying a specific computing process on information A,since the correspondence of information A and information B can beconfirmed by carrying out the specific computing process, comparisonmatching can be judged.

(4) In this invention, access rights include not only rights enablingreading and writing of files but also rights concerning various otherprocesses such as the right to enable printout of file contents.

(5) In this invention, “server computer” refers widely to computers thatprovide data or services, and “client computer” refers widely tocomputers that receive data or services. Thus for example, if in thearrangement shown in FIG. 1, client computer 11 executes a process oftransmitting data stored in client computer 14 via a network, clientcomputer 14 functions as a “server computer” in regard to this process.

(6) Although in FIG. 3, FIG. 4, FIG. 6, FIG. 7, FIG. 9, and FIG. 10, theclient computers, portable information processing devices, and otherindividual components are respectively indicated as blocks, inactuality, these blocks are components that are realized by programsincorporated in computers or IC cards. Needless to say, these programscan be recorded in and distributed by a CD-ROM or other computerreadable recording medium.

INDUSTRIAL APPLICABILITY

This invention can be applied widely to systems that are used byconnecting a plurality of computers that function as servers or clientsto a network. This invention is particularly optimal for applicationswherein a dedicated network, such as a LAN or WAN, is constructed in acompany, servers with various functions are connected to this network,the servers are accessed by individual employees using personalcomputers, etc., and different access rights are set according tocircumstances for each individual employee.

1. A computer system comprising: a network (100); a server computer(110, 120) connected to the network; a plurality of client computers(11, 12, 21) connectable to the network; and portable informationrecording media (R11, R12, R21) issued respectively to individual usersfor use upon connection to the client computers; wherein a uniqueidentification code (ID(11), ID(12), ID(21)) is recorded in each of theclient computers (11, 12, 21) so as to enable distinction from otherclient computers, an identification code (ID(11), ID(12), ID(21)) thatcorresponds to a specific identification code recorded in a specificclient computer is recorded in each of the portable informationrecording media (R11, R12, R21), and each of the client computers (11,12, 21) comprises an interface means (11D) for connecting a portableinformation recording medium (R11, R12, R21), an identification codecomparing means (11C) that compares an identification code recorded in acurrently connected portable information recording medium (R11) and anidentification code recorded in itself, an access right setting means(11B) that sets a predetermined access right based on a comparisonresult, and a server access means (11A) that performs access to theserver computer within a range of the access right that has been set. 2.A computer system comprising: a network (100); a server computer (110,120) connected to the network; a plurality of client computers (11, 12,21) connectable to the network; and portable information processingdevices (P11) issued respectively to individual users for use uponconnection to the client computers; wherein a unique identification code(ID(11), ID(12), ID(21)) is recorded in each of the client computers(11, 12, 21) so as to enable distinction from other client computers, anidentification code (ID(11)) that corresponds to a specificidentification code recorded in a specific client computer is recordedin each of the portable information processing devices (P11), each ofthe client computers (11, 12, 21) comprises an interface means (11D) forconnecting a portable information processing device (P11), and a serveraccess means (11A) that performs access to the server computer (110,120) within a range of an access right that is transmitted from acurrently connected portable information processing device (P11), andeach of the portable information processing devices (P11) comprises anidentification code comparing means (11E) that compares anidentification code (ID(11)) recorded in a currently connected clientcomputer (11) and an identification code (ID(11)) recorded in itself, anaccess right setting means (11F) that sets a predetermined access rightbased on a comparison result, and an access right transmitting means(11G) that transmits, to the currently connected client computer (11),the access right that has been set.
 3. The computer system according toclaim 1, wherein the access right setting means (11B, 11F) sets a firstaccess right when the comparison result indicates matching and sets asecond access right, with more restrictions than the first access right,when the comparison result indicates mismatching.
 4. The computer systemaccording to claim 1, wherein a MAC address provided to a LANcommunication circuit incorporated in a client computer (11, 12, 21),unique data stored in a storage device of the client computer (11, 12,21), or information indicating an arrangement of application programsstored in a storage device of the client computer (11, 12, 21) is usedas a unique identification code for identifying the client computer (11,12, 21).
 5. A computer system comprising: a network (100); a servercomputer (110, 120) connected to the network; a plurality of clientcomputers (11, 12, 21) connectable to the network; and portableinformation recording media (R11, R12, R21) issued respectively toindividual users for use upon connection to the client computers;wherein environment information (ENV(11), ENV(12), ENV(21)) thatindicates a specific network environment that is obtained when a clientcomputer (11, 12, 21) is connected to a specific location of the network(100) is recorded in each of the portable information recording media(R11, R12, R21), and each of the client computers (11, 12, 21) comprisesan interface means (11D) for connecting a portable information recordingmedium (R11, R12, R21), an environment comparing means (11H) thatcompares a network environment indicated by environment information(ENV(11)) recorded in a currently connected portable informationrecording medium (R11) and a current network environment of itself, anaccess right setting means (11B) that sets a predetermined access rightbased on a comparison result, and a server access means (11A) thatperforms access to the server computer within a range of the accessright that has been set.
 6. A computer system comprising: a network(100); a server computer (110, 120) connected to the network; aplurality of client computers (11, 12, 21) connectable to the network;and portable information processing devices (P11) issued respectively toindividual users for use upon connection to the client computers;wherein environment information that indicates a specific networkenvironment that is obtained when a client computer (11, 12, 21) isconnected to a specific location of the network (100) is recorded ineach of the portable information processing devices (P11), each of theclient computers (11, 12, 21) comprises an interface means (11D) forconnecting a portable information processing device (P11), and a serveraccess means (11A) that performs access to the server computer (110,120) within a range of an access right that is transmitted from acurrently connected portable information processing device (P11), andeach of the portable information processing devices (P11) comprises anenvironment comparing means (11I) that compares a network environment ofa currently connected client computer and a network environmentindicated by environment information (ENV(11)) recorded in itself, anaccess right setting means (11F) that sets a predetermined access rightbased on a comparison result, and an access right transmitting means(11G) that transmits, to the currently connected client computer (11),the access right that has been set.
 7. The computer system according toclaim 5, wherein the access right setting means (11B, 11F) sets a firstaccess right when the comparison result indicates matching and sets asecond access right, with more restrictions than the first access right,when the comparison result indicates mismatching.
 8. The computer systemaccording to claim 5, wherein an IP address provided to a clientcomputer (11, 12, 21), a default gateway address set for the clientcomputer (11, 12, 21), a proxy server address set for the clientcomputer (11, 12, 21), or a domain name which can be referred by a DNSserver used by the client computer (11, 12, 21) is used as environmentinformation that indicates a network environment of the client computer(11, 12, 21).
 9. A computer system comprising: a network (100); a servercomputer (110, 120) connected to the network; a plurality of clientcomputers (11, 12, 21) connectable to the network; and portableinformation recording media (R11, R12, R21) issued respectively toindividual users for use upon connection to the client computers;wherein a unique identification code (ID(11), ID(12), ID(21)) isrecorded in each of the client computers (11, 12, 21) so as to enabledistinction from other client computers, an identification code (ID(11),ID(12), ID(21)) that corresponds to a specific identification coderecorded in a specific client computer and environment information(ENV(11), ENV(12), ENV(21)) that indicates a specific networkenvironment that is obtained when a client computer (11, 12, 21) isconnected to a specific location of the network (100) are recorded ineach of the portable information recording media (R11, R12, R21), andeach of the client computers (11, 12, 21) comprises an interface means(11D) for connecting a portable information recording medium (R11, R12,R21), an identification code comparing means (11C) that compares anidentification code (ID(11)) recorded in a currently connected portableinformation recording medium (R11) and an identification code (ID(11))recorded in itself, an environment comparing means (11H) that compares anetwork environment indicated by environment information (ENV(11))recorded in a currently connected portable information recording medium(R11) and a current network environment of itself, an access rightsetting means (11B) that sets a predetermined access right based oncomparison results, and a server access means (11A) that performs accessto the server computer within a range of the access right that has beenset.
 10. A computer system comprising: a network (100); a servercomputer (110,120) connected to the network; a plurality of clientcomputers (11, 12, 21) connectable to the network; and portableinformation processing devices (P11) issued respectively to individualusers for use upon connection to the client computers; wherein a uniqueidentification code (ID(11), ID(12), ID(21)) is recorded in each of theclient computers (11, 12, 21) so as to enable distinction from otherclient computers, an identification code (ID(11), ID(12), ID(21)) thatcorresponds to a specific identification code recorded in a specificclient computer and environment information (ENV(11), ENV(12), ENV(21))that indicates a specific network environment that is obtained when aclient computer (11, 12, 21) is connected to a specific location of thenetwork (100) are recorded in each of the portable informationprocessing devices (P11), each of the client computers (11, 12, 21)comprises an interface means (11D) for connecting a portable informationprocessing device (P11), and a server access means (11A) that performsaccess to the server computer (110, 120) within a range of an accessright that is transmitted from a currently connected portableinformation processing device (P11), and each of the portableinformation processing devices (P11) comprises an identification codecomparing means (11E) that compares an identification code (ID(11))recorded in a currently connected client computer (11) and anidentification code (ID(11)) recorded in itself, an environmentcomparing means (11I) that compares a network environment of thecurrently connected client computer and a network environment indicatedby environment information (ENV(11)) recorded in itself, an access rightsetting means (11F) that sets a predetermined access right based oncomparison results, and an access right transmitting means (11G) thattransmits, to the currently connected client computer (11), the accessright that has been set.
 11. The computer system according to claim 9,wherein the access right setting means (11B, 11F) sets a first accessright when the result of comparison by the identification code comparingmeans (11C, 11E) indicates matching, sets a second access right, withmore restrictions than the first access right, when the result ofcomparison by the identification code comparing means (11C, 11E)indicates mismatching but the result of comparison by the environmentcomparing means (11H, 11I) indicates matching, and sets a third accessright, with even more restrictions than the second access right, whenneither of the comparison results indicates matching.
 12. The computersystem according to claim 9, wherein the access right setting means(11B, 11F) sets a first access right when both the result of comparisonby the identification code comparing means (11C, 11E) and the result ofcomparison by the environment comparing means (11H, 11I) indicatematching, sets a second access right, with more restrictions than thefirst access right, when the result of comparison by the identificationcode comparing means (11C, 11E) indicates matching but the result ofcomparison by the environment comparing means (11H, 11I) indicatesmismatching, and sets a third access right, with even more restrictionsthan the second access right, when neither of the comparison resultsindicates matching.
 13. An access right setting method for a computersystem comprising: a network (100); a server computer (110, 120)connected to the network; and a plurality of client computers (11, 12,21) connectable to the network; the method setting an access right wheneach individual user uses a client computer to access the servercomputer and comprising: a preparation step, wherein a portableinformation processing device (P11), to be used by connecting to aclient computer (11, 12, 21), is issued to each individual user, and anidentification code (ID(11)), corresponding to a unique identificationcode that is recorded in a specific client computer (11) and enablesdistinction of the specific client computer from other client computers,is recorded in the portable information processing device; and an accessright setting step, wherein when a user connects a predeterminedportable information processing device (P11), issued to him/herself, toa predetermined client computer (11) and performs a login procedure onthe predetermined client computer, the predetermined client computer(11) or the predetermined portable information processing device (P11)is made to compare an identification code (ID(11)) recorded in thepredetermined client computer (11) with an identification code (ID(11))recorded in the predetermined portable information processing device(P11) and set a predetermined access right based on a comparison result;wherein when in the access right setting step, the comparison resultindicates mismatching, an access right with more restrictions than whenthe comparison result indicates matching is set.
 14. An access rightsetting method for a computer system comprising: a network (100); aserver computer (110, 120) connected to the network; and a plurality ofclient computers (11, 12, 21) connectable to the network; the methodsetting an access right when each individual user uses a client computerto access the server computer and comprising: a preparation step,wherein a portable information processing device (P11), to be used byconnecting to a client computer (11, 12, 21), is issued to eachindividual user, and environment information (ENV(11)) that indicates aspecific network environment that is obtained when a client computer(11) is connected to a specific location of the network (100) isrecorded in the portable information processing device; and an accessright setting step, wherein when a user connects a predeterminedportable information processing device (P11), issued to him/herself, toa predetermined client computer (11) and performs a login procedure onthe predetermined client computer, the predetermined client computer(11) or the predetermined portable information processing device (P11)is made to compare a current network environment of the predeterminedclient computer (11) with a network environment indicated by environmentinformation (ENV(11)) recorded in the predetermined portable informationprocessing device (P11) and set a predetermined access right based on acomparison result; wherein when in the access right setting step, thecomparison result indicates mismatching, an access right with morerestrictions than when the comparison result indicates matching is set.15. An access right setting method for a computer system comprising: anetwork (100); a server computer (110, 120), connected to the network;and a plurality of client computers (11, 12, 21) connectable to thenetwork; the method setting an access right when each individual useruses a client computer to access the server computer and comprising: apreparation step, wherein a portable information processing device(P11), to be used by connecting to a client computer (11, 12, 21), isissued to each individual user, and an identification code (ID(11)),corresponding to a unique identification code that is recorded in aspecific client computer (11) and enables distinction of the specificclient computer from other client computers, and environment information(ENV(11)) that indicates a specific network environment that is obtainedwhen a client computer (11) is connected to a specific location of thenetwork (100) are recorded in the portable information processingdevice; and an access right setting step, wherein when a user connects apredetermined portable information processing device (P11), issued tohim/herself, to a predetermined client computer (11) and performs alogin procedure on the predetermined client computer, the predeterminedclient computer (11) or the predetermined portable informationprocessing device (P11) is made to compare an identification code(ID(11)) recorded in the predetermined client computer (11) with anidentification code (ID(11)) recorded in the predetermined portableinformation processing device (P11), compare a current networkenvironment of the predetermined client computer (11) with a networkenvironment indicated by environment information (ENV(11)) recorded inthe predetermined portable information processing device (P11), and seta predetermined access right based on comparison results; wherein in theaccess right setting step, if an identification code comparison resultindicates matching, a first access right is set, if the identificationcode comparison result indicates mismatching but a network environmentcomparison result indicates matching, a second access right, with morerestrictions than the first access right, is set, and if neither of thecomparison results indicate matching, a third access right, with evenmore restrictions than the second access right, is set.
 16. An accessright setting method for a computer system comprising: a network (100);a server computer (110, 120), connected to the network; and a pluralityof client computers (11, 12, 21) connectable to the network; the methodsetting an access right when each individual user uses a client computerto access the server computers and comprising: a preparation step,wherein a portable information processing device (P11), to be used byconnecting to a client computer (11, 12, 21), is issued to eachindividual user, and an identification code (ID(11)), corresponding to aunique identification code that is recorded in a specific clientcomputer (11) and enables distinction of the specific client computerfrom other client computers, and environment information (ENV(11)) thatindicates a specific network environment that is obtained when a clientcomputer (11) is connected to a specific location of the network (100)are recorded in the portable information processing device; and anaccess right setting step, wherein when a user connects a predeterminedportable information processing device (P11), issued to him/herself, toa predetermined client computer (11) and performs a login procedure onthe predetermined client computer, the predetermined client computer(11) or the predetermined portable information processing device (P11)is made to compare an identification code (ID(11)) recorded in thepredetermined client computer (11) with an identification code (ID(11))recorded in the predetermined portable information processing device(P11), compare a current network environment of the predetermined clientcomputer (11) with a network environment indicated by environmentinformation (ENV(11)) recorded in the predetermined portable informationprocessing device (P11), and set a predetermined access right based oncomparison results; wherein in the access right setting step, if both anidentification code comparison result and a network environmentcomparison result indicate matching, a first access right is set, if theidentification code comparison result indicates matching but the networkenvironment comparison result indicates mismatching, a second accessright, with more restrictions than the first access right, is set, andif neither of the comparison results indicate matching, a third accessright, with even more restrictions than the second access right, is set.17. A program for making a computer function as a client computer in thecomputer system according to claim 1 or a computer-readable recordingmedium recording the program.